serv/tube
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Optionally require auth for the /upload endpoint (#23)

Browse source 
Reviewed-on: https://git.mills.io/prologic/tube/pulls/23
Co-authored-by: gabek <gabek@noreply@mills.io>
Co-committed-by: gabek <gabek@noreply@mills.io>
This commit is contained in:
gabek 2022-08-25 23:17:24 +00:00 committed by James Mills
parent ed8964ee7a
commit 1791533e0e
2 changed files with 55 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
app/app.go
View file

@ -14,9 +14,11 @@ import (
"sort" "sort"
"strings" "strings"
"git.mills.io/prologic/tube/app/middleware"
"git.mills.io/prologic/tube/importers" "git.mills.io/prologic/tube/importers"
"git.mills.io/prologic/tube/media" "git.mills.io/prologic/tube/media"
"git.mills.io/prologic/tube/utils" "git.mills.io/prologic/tube/utils"
rice "github.com/GeertJohan/go.rice" rice "github.com/GeertJohan/go.rice"
"github.com/dustin/go-humanize" "github.com/dustin/go-humanize"
"github.com/fsnotify/fsnotify" "github.com/fsnotify/fsnotify"
@ -95,9 +97,11 @@ func NewApp(cfg *Config) (*App, error) {
a.Templates.Add("import", importTemplate) a.Templates.Add("import", importTemplate)
// Setup Router // Setup Router
authPassword := os.Getenv("auth_password")
r := mux.NewRouter().StrictSlash(true) r := mux.NewRouter().StrictSlash(true)
r.HandleFunc("/", a.indexHandler).Methods("GET", "OPTIONS") r.HandleFunc("/", a.indexHandler).Methods("GET", "OPTIONS")
r.HandleFunc("/upload", a.uploadHandler).Methods("GET", "OPTIONS", "POST") r.HandleFunc("/upload", middleware.OptionallyRequireAdminAuth(a.uploadHandler, authPassword)).Methods("GET", "OPTIONS", "POST")
r.HandleFunc("/import", a.importHandler).Methods("GET", "OPTIONS", "POST") r.HandleFunc("/import", a.importHandler).Methods("GET", "OPTIONS", "POST")
r.HandleFunc("/v/{id}.mp4", a.videoHandler).Methods("GET") r.HandleFunc("/v/{id}.mp4", a.videoHandler).Methods("GET")
r.HandleFunc("/v/{prefix}/{id}.mp4", a.videoHandler).Methods("GET") r.HandleFunc("/v/{prefix}/{id}.mp4", a.videoHandler).Methods("GET")

50
app/middleware/auth.go Normal file
View file

@ -0,0 +1,50 @@
package middleware
import (
"crypto/subtle"
"net/http"
log "github.com/sirupsen/logrus"
)
// OptionallyRequireAdminAuth wraps a handler requiring HTTP basic auth
// using "uploader" as the username.
// If a password isn't set then auth is skipped.
func OptionallyRequireAdminAuth(handler http.HandlerFunc, password string) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
// Empty password means auth is not required.
if password == "" {
handler(w, r)
return
}
username := "uploader"
realm := "Tube uploader"
// The following line is kind of a work around.
// If you want HTTP Basic Auth + Cors it requires _explicit_ origins to be provided in the
// Access-Control-Allow-Origin header. So we just pull out the origin header and specify it.
// If we want to lock down admin APIs to not be CORS accessible for anywhere, this is where we would do that.
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
w.Header().Set("Access-Control-Allow-Credentials", "true")
w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")
// For request needing CORS, send a 204.
if r.Method == "OPTIONS" {
w.WriteHeader(http.StatusNoContent)
return
}
user, pass, ok := r.BasicAuth()
// Failed
if !ok || subtle.ConstantTimeCompare([]byte(user), []byte(username)) != 1 || subtle.ConstantTimeCompare([]byte(pass), []byte(password)) != 1 {
w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
http.Error(w, "Unauthorized", http.StatusUnauthorized)
log.Debugln("Failed uploader authentication")
return
}
handler(w, r)
}
}